CISOs Paint Gloomy Picture of State IT Security

NASCIO Survey: Spending Cuts Make It Tough to Secure IT Systems

survey of officials responsible for securing state government IT paints a gloomy picture of the current condition of information security.

The tough economy has debilitated state government, and many states continue to reel under budget deficits, which have an adverse impact on the ability of states to secure their digital assets, according to the 2010 Deloitte-NASCIO Cybersecurity Study unveiled Tuesday by the National Association of State Chief Information Officers and the management consultancy Deloitte.

Nearly nine of 10 respondents said the lack of funding is the biggest barrier to securing their states' IT systems. And, nearly eight of 10 respondents said their states' IT security budgets have been cut or remained the same from the previous year. "Unprecedented budgetary cuts across state governments and growing reliance on contractors and outsourced IT services are creating an environment that is even harder to secure," NASCIO President and Utah CIO Steve Fletcher said in a statement that accompanied the release of the study.

That's in sharp contrast to what's occurring in business; another Deloitte study shows that spending on IT security in the financial services industry rose during the economic downturn. "Research suggests that in lackluster economies, the security environment gets more dangerous," the report states. "With this in mind, it may not be the right time to cut security funding, given current risks."

After the budget, the next closest obstacle seen threatening state IT was the increasing sophistication of threats, chosen by 56 percent of state IT security officers, followed by inadequate availability of security professionals (40 percent), lack of support from business stakeholders (38 percent) and lack of visibility and influence within the enterprise (38 percent).

The CISOs and CIOs surveyed, as a group, didn't show much confidence in their ability to protect information assets from threats. Just over one-third of respondents said they were very or extremely confident in safeguarding data from external threats; they showed even less confidence in protecting information from internal threats, only 13 percent said they were very or extremely confident.

Fifty-five percent reported that they had at least one accidental breach of information originating from inside their enterprises such as the loss of unencrypted laptop and hard drives; another 40 percent said malicious software found on state computers originated from inside the enterprise; and 36 percent blamed employees for information breachs such as abusing privileged access or phishing e-mail.

All but one state participated in the survey, and among its main findings:

The enterprise CISO position is firmly established in the majority of states. To be successful, the researchers recommend, CISOs must continue to evolve this position to garner enterprise visibility, authority, executive support and business involvement.

States increasingly embrace strategic planning as part of their cybersecurity approaches and are converging on the National Institute of Standards and Technology risk assessment framework for strategic alignment. But, the report's authors caution, compliance to the NIST framework is unlikely to be achieved without compliance audit and enforcement requirement such as those detailed in the Federal Information Security Management Act that governs IT security in the federal government.

Security budgets and resources available to state CISOs lag behind those of their private-sector counterparts, a gap that is seen widening as businesses invest more on IT security.

Threats to personal identifiable information and personal health information are growing from internally and externally. States are in the early stages of establishing programs and deploying technology to protect sensitive data.

States employ the services of contractors, managed service providers and other third parties to deliver sensitive and critical constituent services, though managing the security of these third-party providers may not be keeping pace with the escalation of threats.

The dire situation many states face seems unending, as one state CISO told researchers: "On any given day, I deal with new viruses, zombie networks, phishing and pharming scams, foreign espionage, financial fraud and serious vulnerabilities introduced from the latest social networking or technological gadget on the market. My day feels like an over-the-top suspense movie."